Widely believed to first
appear on the internet on September 5 2013, Crypto Locker is a ransomware
Trojan virus targeted at computers running Microsoft Windows® operating
systems. Primarily propagated through infected email attachments, the virus
uses existing botnets when activated to encrypt some types of files stored on
the local disk drive and other mounted network drives, using RSA public-key
cryptography.

Attacks from CryptoLocker virus
have sky rocketed since it first appeared online, causing damage and disruption
to millions of personal and business systems, netting the hack perpetrators
over $3 Billion in ransom from their victims in 2016.

The CryptoLocker virus takes
users to ransom by hijacking non .EXE extension files and documents which could
contain pictures, music, videos and word documents that would most likely be
valuable to the users’ daily workloads.

The hackers then demand
payment of a ransom of around $499, usually against a time scale of 96 hours in
order to unlock the .7z encrypted files and folders. The encrypted digital
currency Bitcoin is often the mode of ransom demand from the hackers, with
a threat to destroy the private decryption key after the time has expired.Watch CryptoLocker In Action

Mode of Transmission of the CryptoLocker Virus

The main technique employed by
hackers to perform this type of attack is social engineering, tricking the user
to open a password-protected ZIP file attached to an email deceitfully claiming
to originate from a logistics company.

Further proof of legitimacy of
the email is implied when the hackers include the password required to open the
file bundled in the email. CryptoLocker Trojan then takes advantage of Windows
operating systems’ own defence mechanism of hiding file extensions from file
names, in order to disguise the true .EXE extension of the malicious file.

All that is required from this
stage is for the user to run the program and the Trojan becomes memory resident
of the target machine. This causes the following actions to occur;

The
malware is designed to save itself to AppData, LocalAppData folder located in
the user’s profile.

A
special key is then added to the registry to ensure the malware runs every time
the user starts up their computer.

§To
ensure the main process of the virus never gets terminated, the malware spawns
two processes of itself with the second designed to protect the first against
termination, making it a very dangerous virus indeed.

Encryption Algorithm Deployed by CryptoLocker
Trojan

A random symmetric key is
generated by the Trojan for each file it encrypts, using AES algorithm. The
random key is then encrypted using an asymmetric public-private key encryption
algorithm (RSA), resulting in keys of over 1024 bits or in some cases even
2048-btt keys being added to the encrypted file.

This complicated encryption
procedure ensures only the owner of the private RSA key can retrieve the random
key used to encrypt the file. In addition, since the malware overwrites
existing computer files, it is impossible to retrieve them with current data
recovery forensic techniques.

Once the Trojan is activated,
it quickly proceeds to obtain the public key (PK) from its C&C server by
deploying a mass fixed domain generation algorithm (DGA) referred to as the
‘Mersenne Twister’, using the current system clock as seed to generate up to
1,000 different fixed sized domains every day.

Domain Generation Algorithm (DGA) also known as the ‘Mersenne Twister’

After the Trojan has
downloaded the Public Key, it invades your Windows registry to save the key as:
HKCUSSoftwareCryptoLockerPublic
Key. The virus then begins the process of encrypting files on the hard
disk and along with any shared or mapped network drives. Below are some
extensions CryptoLocker Trojan attacks;

The virus then saves a log of
each encrypted file to registry as below;

HKEY_CURRENT_USERSoftwareCryptoLockerFiles

Once the encryption is
complete, a splash screen is displayed to the user demanding a ransom payment
of varying amounts against a time limit. The hackers typically threaten to
delete the private decryption key they now hold on their servers.

Removing the CryptoLocker Trojan Virus and
Restoring Encrypted Files

If the suspected computer
infected with the Crypto virus is identified to be part of a network, all steps
must be taken to isolate the PC from the rest of the network to stop the virus
replicating.

Running an anti-malware
program such as MalwareBytes® and Spy Hunter® on a full system scan can detect
and remove the malware. It is advisable to run a similar scan on any other
computers in the network connected to the source of the attack.

Downloading award winning BullGuard® anti-virus and
running a second full system scan ensures your PC is free from malware and spyware, especially because they are memory resident. Manage firewall, check for vulnerabilities, scan your network and protect your online identity on banking and financial web applications.

Recovery from a CryptoLocker Trojan Attack by
Restoring Encrypted Files

If these types of attacks
teach us one thing, it reaffirms the absolute importance of taking regular
differential and full data back-ups with a strongly documented disaster recovery
plan.

Unlike other types of
attacks that aim to exploit your data and sell to cyber criminals, CryptoLocker
Trojan attacks costs their victims a lot of productive hours by blocking access
to your files; with the ultimate aim of extorting money from users through
encrypted ransom demands.Method 1: Decrypt Encrypted Files on Android Devices with Avast®
Ransomware Tool.

Good News! Android device
users now have an effective anti-malware program in Avast Ransomware Tool.

The software itself is free on
Google Play Store® as are many powerful Avast products, with the ability to
power scan and decrypt any files that become encrypted with SimpLocker,
CryptoLocker and other families of ransomware computer viruses.

It is unclear if the anti-virus company have any plans to develop this
decryption tool for PC and MAC. More information about this will be available
on our Twitter page @ixploitcybersecurity when it becomes
available.

Be sure to uninstall the app
after decrypting your files to give you back control of your device. If you believe
as an administrator the likelihood of an imminent attack from spam emails, Avast Internet Security 2016®
offers an intelligent anti-virus that can detect malware, spyware, phishing
attacks and ransomware.

A powerful firewall and a
revolutionary sandbox lets you test downloaded software in a test environment,
completely sealed off from the rest of your PC. A strong security standard is
employed to ensure devices in your home are hidden from any hacker listening in
on traffic on your network.

Method 2: This
is where the practice of regular back-ups comes to the rescue. Many forms of
back-ups exist such as Synology® drives or cloud back-ups from providers like
Symantec, CloudBerry and Glacier storage vaults from Amazon Web Services (AWS). To avoid paying the ransom, the best way is to wipe the infected
system and restore all files from one of your full back-ups.

Method 3: Try using previous versions of Windows
automatically saved as part of system restore. Learn more about this function
here.

Launch Shadow Explorer and select from the drop
down list one of the available point-in-time Shadow Copies. Choose the drive
and the latest date you want to restore from.

Right-click on any encrypted file or even
entire folders and begin to Export
it. You will then be prompted to choose the location you would like the files
restored to. This process may help you recover all the encrypted files or at
least a percentage of them.

How to Avoid Infection from CryptoLocker Trojan
Virus

As already discussed above,
the CryptoLocker malware is spread via email using social engineering
techniques. Therefore, that should be your main point of defence against the
Trojan.

Using powerful email filtering systems like Spam Arrest which you can try Free for 30 days, Symantec
Message Labs® and Mimecast can help create strict rules for incoming and outgoing emails to
limit the exposure of internal email addresses to potential hackers.

Limiting the range of company Wi-Fi signals to
prevent hackers from gaining access to any resource on the network that may
contain employee data information. In organizations where extreme security measures are of top priority, the SSID of the network could be hidden completely from all unauthorized external devices.

Carefully scrutinizing emails from unknown
senders, especially those with attachments.

Disabling hidden file extensions in Windows
also helps to recognize patterns of this type of attack.

Ensuring your back-up systems are up to date
and keeping on top of regular maintenance. This helps with incidence response
after an attack.

In the unfortunate event that your systems get
infected and you find yourself without any back-ups, it is highly recommended
not to pay the ransom. Not only does paying help fund the hackers’ business
model, there have been reported cases where ransoms are paid using the Cryptocurrency Bitcoin and files still remain
encrypted.

Microsoft has now released a security update on 14 March 2017 to patch the vulnerability which unknowingly got sink-holed when a cyber-security researcher registered a domain name, slowing down the ongoing encryption attack on organisations worldwide.

It is vital organisations still running Windows XP, Vista and Server 2003/2008 operating systems to install critical patch updates as variants of WannaCry also known as Wanna Decryptor, WannaCrypt, WannaCrypt0r 2.0 have reportedly emerged in many countries.

Hope you enjoyed reading our article. Feel free to leave us
any comments or make suggestions on how to prevent attacks from CryptoLocker
Trojan Malware, via our email info@codexploitcybersecurity.com. Thank you for
investing your time with us.

As per infection information discharged by a notable Antivirus Company, in year 2013, there were more than 250,000 one of a kind examples of ransomware in first quarter of 2013. how i can clean my pc form flooders malware

There are certainly a lot of details like that to take into consideration. That is a great point to bring up. I offer the thoughts above as general inspiration but clearly there are questions like the one you bring up where the most important thing will be working in honest good faith. I don?t know if best practices have emerged around things like that, but I am sure that your job is clearly identified as a fair game. Both boys and girls feel the impact of just a moment?s pleasure, for the rest of their lives